Methods, systems, and devices for wireless communication are described. In one method, a wireless device may securely communicate with a local area network (LAN), via a first connection with a source access node (AN), based on a first security key. The wireless device may perform a handover from the source AN to a target AN. The wireless device may derive a second security key based on the first security key, and securely communicate with the LAN, via a second connection with the target AN, based on the second security key and a restriction policy for the second security key. The wireless device may perform an authentication procedure to obtain a third security key, which may not be subject to the restriction policy, and securely communicate with the LAN, via the second connection with the target AN, based on the third security key.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method of wireless communication at a wireless device, the method comprising: securely communicating with a local area network (LAN), via a first connection with a source access node (AN) of the LAN, based at least in part on a first security key, wherein the wireless device communicates with the source AN via the first connection via a radio access network (RAN) that is based at least in part on a cellular radio access technology (RAT) and is distinct from the LAN; performing a handover from the source AN of the LAN to a target AN of the LAN; deriving a second security key based at least in part on the first security key; securely communicating with the LAN, via a second connection with the target AN of the LAN, based at least in part on the second security key and a restriction policy for the second security key, the second connection being made via the RAN; performing an authentication procedure, via the second connection, with an authentication node of the LAN to obtain a third security key; and securely communicating with the LAN, via the second connection with the target AN of the LAN, based at least in part on the third security key.
2. The method of claim 1 , wherein the restriction policy for the second security key comprises at least one of: a time interval for which the second security key is valid for securely communicating with the LAN via the second connection, a number of packets for which the second security key is valid for securely communicating with the LAN via the second connection, a set of one or more radio bearers for which the second security key is valid for securely communicating with the LAN via the second connection, a radio bearer type for which the second security key is valid for securely communicating with the LAN via the second connection, or a combination thereof.
3. The method of claim 1 , wherein securely communicating with the LAN based at least in part on the third security key occurs at a different time than securely communicating with the LAN based at least in part on the second security key.
4. The method of claim 1 , further comprising: switching from securely communicating with the LAN based at least in part on the second security key to securely communicating with the LAN based at least in part on the third security key, the switching based at least in part on: a configuration message received from the target AN, an availability of the third security key, or a combination thereof.
5. The method of claim 1 , further comprising: receiving the restriction policy for the second security key in at least one of: configuration information received from the LAN, a handover command message received from the source AN of the LAN, configuration information received from the target AN, or a combination thereof.
6. The method of claim 1 , wherein the authentication procedure is performed on a first radio bearer and securely communicating with the LAN based at least in part on the third security key is performed on a second radio bearer, the second radio bearer being different from the first radio bearer.
7. The method of claim 6 , wherein the first radio bearer comprises at least one of: a signaling radio bearer, a data radio bearer, or a combination thereof.
8. The method of claim 1 , wherein the authentication node comprises an authentication server and the authentication procedure is based at least in part on an extensible authentication protocol (EAP).
9. The method of claim 1 , wherein the authentication node comprises a wireless LAN controller and the authentication procedure is based at least in part on: a supplicant key holder identifier (ID), an authenticator key holder ID, a pairwise master key (PMK) ID, a PMK name, or a combination thereof.
10. The method of claim 1 , further comprising: receiving, from the source AN of the LAN, configuration information for the target AN; and establishing the second connection with the target AN of the LAN based at least in part on the received configuration information for the target AN of the LAN.
11. The method of claim 1 , further comprising: measuring at least one signal received from the target AN of the LAN; and receiving a handover command based at least in part on the measuring.
12. An apparatus for wireless communication at wireless device, the apparatus comprising: a processor; memory in electronic communication with the processor; and instructions stored in the memory and operable, when executed by the processor, to cause the apparatus to: securely communicate with a local area network (LAN), via a first connection with a source access node (AN) of the LAN, based at least in part on a first security key, wherein the wireless device communicates with the source AN via the first connection via a radio access network (RAN) that is based at least in part on a cellular radio access technology (RAT) and is distinct from the LAN; perform a handover from the source AN of the LAN to a target AN of the LAN; derive a second security key based at least in part on the first security key; securely communicate with the LAN, via a second connection with the target AN of the LAN, based at least in part on the second security key and a restriction policy for the second security key, the second connection being made via the RAN; perform an authentication procedure, via the second connection, with an authentication node of the LAN to obtain a third security key; and securely communicate with the LAN, via the second connection with the target AN of the LAN, based at least in part on the third security key.
13. The apparatus of claim 12 , wherein the restriction policy for the second security key comprises at least one of: a time interval for which the second security key is valid for securely communicating with the LAN via the second connection, a number of packets for which the second security key is valid for securely communicating with the LAN via the second connection, a set of one or more radio bearers for which the second security key is valid for securely communicating with the LAN via the second connection, a radio bearer type for which the second security key is valid for securely communicating with the LAN via the second connection, or a combination thereof.
14. The apparatus of claim 12 , wherein the instructions to securely communicate with the LAN based at least in part on the third security key are operable at a different time than the instructions to securely communicate with the LAN based at least in part on the second security key.
15. The apparatus of claim 12 , wherein the instructions are operable to cause the apparatus to: switch from securely communicating with the LAN based at least in part on the second security key to securely communicating with the LAN based at least in part on the third security key, the switching based at least in part on: a configuration message received from the target AN, an availability of the third security key, or a combination thereof.
16. The apparatus of claim 12 , wherein the instructions are operable to cause the apparatus to: receive the restriction policy for the second security key in at least one of: configuration information received from the LAN, a handover command message received from the source AN of the LAN, configuration information received from the target AN, or a combination thereof.
17. The apparatus of claim 12 , wherein the authentication procedure is performed on a first radio bearer and securely communicating with the LAN based at least in part on the third security key is performed on a second radio bearer, the second radio bearer being different from the first radio bearer.
18. The apparatus of claim 17 , wherein the first radio bearer comprises at least one of: a signaling radio bearer, a data radio bearer, or a combination thereof.
19. The apparatus of claim 12 , wherein the authentication node comprises an authentication server and the authentication procedure is based at least in part on an extensible authentication protocol (EAP).
20. The apparatus of claim 12 , wherein the authentication node comprises a wireless LAN controller and the authentication procedure is based at least in part on: a supplicant key holder identifier (ID), an authenticator key holder ID, a pairwise master key (PMK) ID, a PMK name, or a combination thereof.
21. The apparatus of claim 12 , wherein the instructions are operable to cause the apparatus to: receive, from the source AN of the LAN, configuration information for the target AN; and establish the second connection with the target AN of the LAN based at least in part on the received configuration information for the target AN of the LAN.
22. The apparatus of claim 12 , wherein the instructions are operable to cause the apparatus to: measure at least one signal received from the target AN of the LAN; and receive a handover command based at least in part on the measuring.
23. An apparatus for wireless communication at a wireless device, the apparatus comprising: means for securely communicating with a local area network (LAN), via a first connection with a source access node (AN) of the LAN, based at least in part on a first security key, wherein the wireless device communicates with the source AN via the first connection via a radio access network (RAN) that is based at least in part on a cellular radio access technology (RAT) and is distinct from the LAN; means for performing a handover from the source AN of the LAN to a target AN of the LAN; means for deriving a second security key based at least in part on the first security key; means for securely communicating with the LAN, via a second connection with the target AN of the LAN, based at least in part on the second security key and a restriction policy for the second security key, the second connection being made via the RAN; means for performing an authentication procedure, via the second connection, with an authentication node of the LAN to obtain a third security key; and means for securely communicating with the LAN, via the second connection with the target AN of the LAN, based at least in part on the third security key.
24. A non-transitory computer-readable medium storing computer-executable code for wireless communication at wireless device, the code executable to: securely communicate with a local area network (LAN), via a first connection with a source access node (AN) of the LAN, based at least in part on a first security key, wherein the wireless device communicates with the source AN via the first connection via a radio access network (RAN) that is based at least in part on a cellular radio access technology (RAT) and is distinct from the LAN; perform a handover from the source AN of the LAN to a target AN of the LAN; derive a second security key based at least in part on the first security key; securely communicate with the LAN, via a second connection with the target AN of the LAN, based at least in part on the second security key and a restriction policy for the second security key, the second connection being made via the RAN; perform an authentication procedure, via the second connection, with an authentication node of the LAN to obtain a third security key; and securely communicate with the LAN, via the second connection with the target AN of the LAN, based at least in part on the third security key.
25. A method of wireless communication at an access node (AN) of a local area network (LAN), the method comprising: establishing a connection with a wireless device; receiving a first security key from a first network node of the LAN, the first security key associated with a restriction policy for the first security key, wherein the wireless device communicates with the first network node via a radio access network (RAN) that is based at least in part on a cellular radio access technology (RAT) and is distinct from the LAN; relaying authentication information associated with an authentication procedure performed between the wireless device and a second network node of the LAN; receiving a second security key from the second network node of the LAN based at least in part on the relayed authentication information; transmitting secure communications between the wireless device and the LAN, via the connection, based at least in part on the first security key, wherein use of the first security key is determined by the restriction policy for the first security key; and transmitting secure communications between the wireless device and the LAN, via the connection, based at least in part on the second security key, wherein the connection is made via the RAN.
26. The method of claim 25 , wherein the restriction policy for the first security key comprises at least one of: a time interval for which the first security key is valid for the wireless device to securely communicate with the LAN via the connection, a number of packets for which the first security key is valid for the wireless device to securely communicate with the LAN via the connection, a set of one or more radio bearers for which the first security key is valid for the wireless device to securely communicate with the LAN via the connection, a radio bearer type for which the first security key is valid for the wireless device to securely communicate with the LAN via the connection, or a combination thereof.
27. The method of claim 25 , further comprising: switching from transmitting secure communications between the wireless device and the LAN, via the connection, based at least in part on the first security key, to transmitting secure communications between the wireless device and the LAN, via the connection, based at least in part on the second security key, the switching based at least in part on: the restriction policy for the first security key, an availability of the second security key, or a combination thereof.
28. The method of claim 25 , wherein the authentication procedure is performed on a first radio bearer associated with the connection and the secure communications are transmitted on a second radio bearer associated with the connection, the second radio bearer associated with the connection being different from the first radio bearer associated with the connection.
29. The method of claim 28 , wherein the first radio bearer associated with the connection comprises at least one of: a signaling radio bearer, a data radio bearer, or a combination thereof.
30. The method of claim 25 , further comprising: deriving a third security key based at least in part on the second security key.
31. The method of claim 25 , further comprising: transmitting the restriction policy for the first security key to at least one of: the first network node, the wireless device, or a combination thereof.
32. The method of claim 25 , wherein the second network node comprises a wireless LAN controller and the authentication procedure is based at least in part on: a supplicant key holder identifier (ID), an authenticator key holder ID, a pairwise master key (PMK) ID, a PMK name, or a combination thereof.
33. The method of claim 25 , wherein the second network node comprises an authentication server and the authentication procedure is based at least in part on an extensible authentication protocol (EAP).
34. An apparatus for wireless communication at an access node (AN) of a local area network (LAN), the apparatus comprising: a processor; memory in electronic communication with the processor; and instructions stored in the memory and operable, when executed by the processor, to cause the apparatus to: establish a connection with a wireless device; receive a first security key from a first network node of the LAN, the first security key associated with a restriction policy for the first security key, wherein the wireless device communicates with the first network node via a radio access network (RAN) that is based at least in part on a cellular radio access technology (RAT) and is distinct from the LAN; relay authentication information associated with an authentication procedure performed between the wireless device and a second network node of the LAN; receive a second security key from the second network node of the LAN based at least in part on the relayed authentication information; transmit secure communications between the wireless device and the LAN, via the connection, based at least in part on the first security key, wherein use of the first security key is determined by the restriction policy for the first security key; and transmit secure communications between the wireless device and the LAN, via the connection, based at least in part on the second security key, wherein the connection is made via the RAN.
35. The apparatus of claim 34 , wherein the restriction policy for the first security key comprises at least one of: a time interval for which the first security key is valid for the wireless device to securely communicate with the LAN via the connection, a number of packets for which the first security key is valid for the wireless device to securely communicate with the LAN via the connection, a set of one or more radio bearers for which the first security key is valid for the wireless device to securely communicate with the LAN via the connection, a radio bearer type for which the first security key is valid for the wireless device to securely communicate with the LAN via the connection, or a combination thereof.
36. The apparatus of claim 34 , wherein the instructions are operable to cause the apparatus to: switch from transmitting secure communications between the wireless device and the LAN, via the connection, based at least in part on the first security key, to transmitting secure communications between the wireless device and the LAN, via the connection, based at least in part on the second security key, the switching based at least in part on: the restriction policy for the first security key, an availability of the second security key, or a combination thereof.
37. The apparatus of claim 34 , wherein the authentication procedure is performed on a first radio bearer associated with the connection and the secure communications are transmitted on a second radio bearer associated with the connection, the second radio bearer associated with the connection being different from the first radio bearer associated with the connection.
38. The apparatus of claim 37 , wherein the first radio bearer associated with the connection comprises at least one of: a signaling radio bearer, a data radio bearer, or a combination thereof.
39. The apparatus of claim 34 , wherein the instructions are operable to cause the apparatus to: derive a third security key based at least in part on the second security key.
40. The apparatus of claim 34 , wherein the instructions are operable to cause the apparatus to: transmit the restriction policy for the first security key to at least one of: the first network node, the wireless device, or a combination thereof.
41. The apparatus of claim 34 , wherein the second network node comprises a wireless LAN controller and the authentication procedure is based at least in part on: a supplicant key holder identifier (ID), an authenticator key holder ID, a pairwise master key (PMK) ID, a PMK name, or a combination thereof.
42. The apparatus of claim 34 , wherein the second network node comprises an authentication server and the authentication procedure is based at least in part on an extensible authentication protocol (EAP).
43. An apparatus for wireless communication at an access node (AN) of a local area network (LAN), the apparatus comprising: means for establishing a connection with a wireless device; means for receiving a first security key from a first network node of the LAN, the first security key associated with a restriction policy for the first security key, wherein the wireless device communicates with the first network node via a radio access network (RAN) that is based at least in part on a cellular radio access technology (RAT) and is distinct from the LAN; means for relaying authentication information associated with an authentication procedure performed between the wireless device and a second network node of the LAN; means for receiving a second security key from the second network node of the LAN based at least in part on the relayed authentication information; means for transmitting secure communications between the wireless device and the LAN, via the connection, based at least in part on the first security key, wherein use of the first security key is determined by the restriction policy for the first security key; and means for transmitting secure communications between the wireless device and the LAN, via the connection, based at least in part on the second security key, wherein the connection is made via the RAN.
44. A non-transitory computer-readable medium storing computer-executable code for wireless communication at an access node (AN) of a local area network (LAN), the code executable to: establish a connection with a wireless device; receive a first security key from a first network node of the LAN, the first security key associated with a restriction policy for the first security key, wherein the wireless device communicates with the first network node via a radio access network (RAN) that is based at least in part on a cellular radio access technology (RAT) and is distinct from the LAN; relay authentication information associated with an authentication procedure performed between the wireless device and a second network node of the LAN; receive a second security key from the second network node of the LAN based at least in part on the relayed authentication information; transmit secure communications between the wireless device and the LAN, via the connection, based at least in part on the first security key, wherein use of the first security key is determined by the restriction policy for the first security key; and transmit secure communications between the wireless device and the LAN, via the connection, based at least in part on the second security key, wherein the connection is made via the RAN.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
March 2, 2017
April 14, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.